Detections
Analytics

CIS CentOS Linux 8 Server L1 v1.0.1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS CentOS Linux 8 Server L1 v1.0.1

Updated: 10/3/2023

Authority: CIS

Plugin: Unix

Revision: 1.8

Estimated Item Count: 299

File Details

Filename: CIS_CentOS_8_Server_v1.0.1_L1.audit

Size: 559 kB

MD5: 4f33823be5fc92174fb57b242302033b
SHA256: cc71d31ec1f327bd083b0e24a1916d18ef55a381a2ba91f143b19c2113589abb

Audit Changelog

 
Revision 1.8

Oct 3, 2023

Informational Update
  • 5.5.5 Ensure default user umask is 027 or more restrictive - default user umask
  • 5.5.5 Ensure default user umask is 027 or more restrictive - less restrictive system wide umask
Revision 1.7

Jun 3, 2022

Functional Update
  • 6.2.7 Ensure users' home directories permissions are 750 or more restrictive
Added
  • 1.4.2 Ensure filesystem integrity is regularly checked - cron
  • 1.4.2 Ensure filesystem integrity is regularly checked - systemctl is-enabled aidecheck.service
  • 1.4.2 Ensure filesystem integrity is regularly checked - systemctl is-enabled aidecheck.timer
  • 1.4.2 Ensure filesystem integrity is regularly checked - systemctl status aidecheck.timer
Removed
  • 1.4.2 Ensure filesystem integrity is regularly checked
Revision 1.6

Jun 1, 2022

Miscellaneous
  • Audit deprecated.
  • Metadata updated.
  • References updated.
Revision 1.5

May 11, 2022

Functional Update
  • 1.1.22 Disable Automounting
  • 2.2.10 Ensure FTP Server is not enabled
  • 2.2.11 Ensure DNS Server is not enabled
  • 2.2.12 Ensure NFS is not enabled
  • 2.2.13 Ensure RPC is not enabled
  • 2.2.14 Ensure LDAP server is not enabled
  • 2.2.15 Ensure DHCP Server is not enabled
  • 2.2.16 Ensure CUPS is not enabled
  • 2.2.17 Ensure NIS Server is not enabled
  • 2.2.4 Ensure Avahi Server is not enabled - avahi-daemon.service
  • 2.2.4 Ensure Avahi Server is not enabled - avahi-daemon.socket
  • 2.2.6 Ensure HTTP Proxy Server is not enabled
  • 2.2.7 Ensure Samba is not enabled
  • 2.2.8 Ensure IMAP and POP3 server is not enabled
  • 2.2.9 Ensure HTTP server is not enabled
Revision 1.4

Apr 25, 2022

Miscellaneous
  • Variables updated.
Revision 1.3

Mar 29, 2022

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.2

Mar 18, 2022

Functional Update
  • 1.8.2 Ensure GDM login banner is configured - banner message enabled
  • 1.8.2 Ensure GDM login banner is configured - banner message text
Miscellaneous
  • Metadata updated.
  • References updated.
  • Variables updated.
Revision 1.1

Aug 24, 2021

Functional Update
  • 1.10 Ensure system-wide crypto policy is not legacy
  • 1.3.2 Ensure sudo commands use pty
  • 1.3.3 Ensure sudo log file exists
  • 1.6.1 Ensure core dumps are restricted - /etc/security/limits.d/*
  • 1.6.1 Ensure core dumps are restricted - /etc/sysctl.d/*
  • 3.1.1 Ensure IP forwarding is disabled - sysctl.conf ipv4
  • 3.1.1 Ensure IP forwarding is disabled - sysctl.conf ipv6
  • 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.all.send_redirects = 0'
  • 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.default.send_redirects = 0'
  • 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.all.accept_source_route = 0'
  • 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.default.accept_source_route = 0'
  • 3.2.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.all.accept_source_route = 0'
  • 3.2.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.default.accept_source_route = 0'
  • 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.all.accept_redirects = 0'
  • 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects = 0'
  • 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0'
  • 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0'
  • 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redirects = 0'
  • 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects = 0'
  • 3.2.4 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians = 1'
  • 3.2.4 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians = 1'
  • 3.2.5 Ensure broadcast ICMP requests are ignored - 'net.ipv4.icmp_echo_ignore_broadcasts = 0'
  • 3.2.6 Ensure bogus ICMP responses are ignored - 'net.ipv4.icmp_ignore_bogus_error_responses = 0'
  • 3.2.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.all.rp_filter = 0
  • 3.2.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.default.rp_filter = 1
  • 3.2.8 Ensure TCP SYN Cookies is enabled - net.ipv4.tcp_syncookies = 1
  • 3.2.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.all.accept_ra = 0
  • 3.2.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.default.accept_ra = 0
  • 3.4.2.2 Ensure iptables service is not enabled with firewalld - inactive
  • 3.4.4.1.5 Ensure iptables is enabled and active - enabled
  • 3.4.4.1.6 Ensure iptables is enabled and active - enabled
  • 3.4.4.2.5 Ensure ip6tables is enabled and active - enabled
  • 5.4.1 Ensure password creation requirements are configured - password complexity
  • 5.4.2 Ensure lockout for failed password attempts is configured
Miscellaneous
  • References updated.
Added
  • 3.4.3.4 Ensure nftables loopback traffic is configured - 'ip saddr'